What is MA 201 CMR 17.00?

Massachusetts passed a data protection law that is arguably one of the most stringent in the nation. 201 CMR 17.00 mandates that “every person who owns, licenses, stores or maintains personal information about a resident of the Commonwealth [of Massachusetts] shall be in full compliance with 201 CMR 17.00” by the deadline of January 1, 2010. It requires all persons and businesses with personal information to have an adequate protective system in place to prevent unauthorized access to personal information, firewall and malware protection for the computer systems, as well as encryption for all data containing personal information transmitted through the public network or wirelessly.

What are the requirements?

According to the definitions in 201 CMR 17.02, personal information is a Massachusetts resident’s first name or first initial and last name in combination with any one of more of the following data related to the person: social security number, driver’s license number or state-issued identification card number, financial account number, credit or debit card number with or without any required security or access code or password that would permit access to financial information.

The law requires adequate computer system security measures to protect personal data, as described in section 17.04:

• Secure user authentication protocols
• Secure access control measure
• Encryption of all transmitted records and files containing personal information that will travel across public networks or wirelessly
• Monitoring system for any unauthorized use
• Encryption for all personal information stored on laptops or portable devices
• Up to date firewall protection for the operating systems
• Malware protection updated on a regular basis
• Education and training of employees on proper use of the system and the importance of personal information security

For details and full text of the law, see here.

Why does it matter?

This law applies to all persons, within or out of the state of Massachusetts, who process or maintain any personal data of Massachusetts’ residents. In other words, even if your business is not located within the state of Massachusetts, as long as you have any personal data of clients or employees who are Massachusetts residents, then you need to adhere to this law.

Massachusetts’ new data protection law is even more comprehensive than the Nevada data transmission encryption regulation that we discussed in an earlier post. Encryption of sensitive personal information is required at various levels, whether it is during an electronic transmission, across a public network, sent wirelessly or if the data is stored on a portable device such as laptop computers of flash drives. In 201 CMR 17.02, encryption is defined as “the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key”.

Additionally, the law requires one to take reasonable steps to verify that any third party service provider that has access to personal information to have the capacity to protect the data in the same secure manners as required by 201 CMR 17.00.

How LeapFILE can Help

Connect with us to learn more about how LeapFILE's secure file transfer & collaboration solutions can resolve data security compliance issues, get updates on data security regulations and join others in discussions for compliance best practices!

Find out how LeapFILE can help you here.